[Snort-users] Snort dies after a few days.

Bill McCarty bmccarty at ...5196...
Mon Mar 25 10:09:03 EST 2002

My Snort, running under RHL 7.2 and using RH kernel 2.4.9-21, sometimes 
dies after a few hours of operation. When it does, it restarts cleanly, so 
I don't suspect configuration or environmental problems. However, unlike 
Emilio's case, Snort doesn't log an exit message. Neither does it log a 
message when the network interface enters or leaves promiscuous mode, 
apparently because the interface is configured without an IP address.

Moreover, from time to time, I inspect the TCP data in the packet logs. 
There, I regularly see Snort rules and other Snort-related data in the 
payload. I believe these are due to buffer overflows or other software bugs 
within Snort or possibly libpcap. My network is small and has relatively 
low traffic; moreover, it has limited bandwidth and therefore limited 
potential value to hackers other than novices. So, I tentatively rule out 
the paranoid possibility that hacked systems are using covert communication 
to transmit Snort data outside the network.

Q: Other than configuring for core dumps as Phil suggested, how can I best 
configure Snort to provide useful debugging data for its developers? Or, 
what data can I collect that might help discover -- better yet, fix -- 
what's up?

Just wanna help if I can <grin>.

--On Monday, March 25, 2002 9:02 AM -0700 Phil Wood <cpw at ...440...> wrote:

> There has been a discussion on the tcpdump.org list that indicates that
> RH 7.2 is broken in regards to libpcap and packet timestamps.  You might
> want to upgrade your kernel to 2.4.18 (www.kernel.org).
> [not for the uninitiated.]
> PS: If you make sure that your snort environment is providing "core"
> dumps,
>       prompt: ulimit -c 10000000
>     prior to starting snort, and you have a snort compiled with '-g', then
>     you could send information to the list that would be helpful.  See:

> On Mon, Mar 25, 2002 at 09:56:25AM +0100, Emilio Mira Alfaro wrote:
>> I'm using snort 1.8.4-beta4 I compiled with mysql and flexresp
>> support, libpcap 0.7.1, on RH 7.2 and it's listening from an ATM
>> interface. It's running ok, but after a few days, it dies for some
>> unknown reason. In /var/log/messages I get:
>> Mar  24 10:40:57 abc snort: Snort received signal 15, exiting
>> Mar  24 10:40:57 abc kernel: device atm0 left promiscuous mode

Bill McCarty

More information about the Snort-users mailing list